Is the contrast.jar signed?

  • Updated
 
 

Question

Is the Contrast Java Agent contrast.jar signed?

Answer

Some users may be wary of downloading the Contrast Java agent jar from Maven Central. Much of this paranoia is a hangover from the time before Maven Central supported HTTPS connections. Today, Maven Central no longer supports HTTP connections.

While HTTPS should allay the concerns of most users, there are extra steps that users can take to verify the integrity of our Contrast agent jar. All jars on Maven Central are GPG signed by their publisher. Contrast's GPG public key is hosted on https://pgp.key-server.io/.

$ gpg2 ~/Downloads/contrast-public.asc 
pub 2048R/7E8F1053 2019-03-11 [expires: 2021-03-10]
uid Contrast Security <support@contrastsecurity.com>
sub 2048R/B6366A93 2019-03-11 [expires: 2021-03-10]

Users can import our public key to their keychain:

$ gpg2 --import ~/Downloads/contrast-public.asc 
gpg: key 7E8F1053: public key "Contrast Security <support@contrastsecurity.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1

After having imported our public key, users can now use GPG to verify the integrity of our agent jars on Maven Central. All the artifacts we publish to Maven Central have corresponding detached signature files ending in .asc. See this example directory listing for Maven Central release: https://repo1.maven.org/maven2/com/contrastsecurity/contrast-agent/3.6.10.12442/

contrast-agent-3.6.10.12442-javadoc.jar 2019-12-06 17:21 342 
contrast-agent-3.6.10.12442-javadoc.jar.asc 2019-12-06 17:21 455
contrast-agent-3.6.10.12442-javadoc.jar.asc.m... 2019-12-06 17:21 32
contrast-agent-3.6.10.12442-javadoc.jar.asc.s... 2019-12-06 17:21 40
contrast-agent-3.6.10.12442-javadoc.jar.md5 2019-12-06 17:21 32
contrast-agent-3.6.10.12442-javadoc.jar.sha1 2019-12-06 17:21 40
contrast-agent-3.6.10.12442-sources.jar 2019-12-06 17:21 342
contrast-agent-3.6.10.12442-sources.jar.asc 2019-12-06 17:21 455
contrast-agent-3.6.10.12442-sources.jar.asc.m... 2019-12-06 17:21 32
contrast-agent-3.6.10.12442-sources.jar.asc.s... 2019-12-06 17:21 40
contrast-agent-3.6.10.12442-sources.jar.md5 2019-12-06 17:21 32
contrast-agent-3.6.10.12442-sources.jar.sha1 2019-12-06 17:21 40
contrast-agent-3.6.10.12442.jar 2019-12-06 17:21 9976968
contrast-agent-3.6.10.12442.jar.asc 2019-12-06 17:21 455
contrast-agent-3.6.10.12442.jar.asc.md5 2019-12-06 17:21 32
contrast-agent-3.6.10.12442.jar.asc.sha1 2019-12-06 17:21 40
contrast-agent-3.6.10.12442.jar.md5 2019-12-06 17:21 32
contrast-agent-3.6.10.12442.jar.sha1 2019-12-06 17:21 40
contrast-agent-3.6.10.12442.pom 2019-12-06 17:21 2167
contrast-agent-3.6.10.12442.pom.asc 2019-12-06 17:21 455
contrast-agent-3.6.10.12442.pom.asc.md5 2019-12-06 17:21 32
contrast-agent-3.6.10.12442.pom.asc.sha1 2019-12-06 17:21 40
contrast-agent-3.6.10.12442.pom.md5 2019-12-06 17:21 32
contrast-agent-3.6.10.12442.pom.sha1 2019-12-06 17:21 40

Download the agent jar and the corresponding detached signature file in order to verify using GPG:

2021-01-28_20-30-59.png

If you are downloading from Maven Central, they may feel some additional assurance by verifying the MD5 or SHA1 checksums of the jar. All artifacts that we deploy to Maven Central also include an MD5 and SHA1 signature file.

Note: Maven Central has stopped supporting insecure connections as of January 2020
https://twitter.com/sonatype_ops/status/1206610013822889989?s=09

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request